Sections

Saturday, October 25, 2014

Labs: MongoDB-AD Integration with Centrify - The Kerberos Remix

Background

In the previous post, we discussed how with Centrify, MongoDB authentication can be streamlined and we discussed SASL Auth integration. We also discussed how to leverage the authorization capabilities of Centrify to limit access to MongoDB via PAM with SASL.

However, SASL is a simple option and can be greatly enhanced by using a different option.

Advantages of using AD Kerberos with Centrify

Centrify automatically creates and maintains the Kerberos environment of a UNIX, Linux or Mac OS X environment, no need to deal with /etc/krb5.conf files, machine keytabs or incompatibilities because Centrify's shared objects are optimized to work with AD regardless of the complexity of the AD environment (one-way trusts, cross-forest trusts, etc).

The key benefit here is time to production. When App Developers or DBAs don't have to worry about standing up an environment (such an MIT Kerberos realm), maintaining and understanding Kerberos, it's easier to focus on the tasks around MongoDB. Active Directory is your Kerberos infrastructure and Centrify is the enabler.

From a business perspective consistency is preserved by eliminating duplication of capabilities and processes.
From a security perspective, the access model remains the same and no additional attestation mechanisms need to be created.
From the user's perspective they are more productive because we can eliminate an additional authentication prompt (remember how bad it looked when we saw the plaintext passwords on the screen?)

Another benefit is the utilities like adkeytab that allow for the provisioning and maintenance of service accounts and kerberos key tables in your systems. MongoDB uses the GSSAPI interfaces to provide Kerberos authentication.

Moderation note: This post requires that you understand the basics of Active Directory and Kerberos. If any of these terms: domain controller, kdc, service principal name, user principal name, TGT, TGS, DNS, etc, are foreign to you, please do some background study.

Basics: What is GSSAPI?

The key here is that MongoDB supports Kerberos via the GSSAPI interfaces, Since Centrify makes Kerberos work effortlessly , the implementation is relatively simple:

MongoDB will start with GSSAPI authentication enabled and will use the key table file (keytab file) of an AD service account that has a UPN set to mongodb/<fqdn of system>@DOMAIN and an SPN set to mongodb/<fqdn of system>. This will allow for it to request a ticket-granting-ticket or a service ticket depending on the call.

Use adkeytab to create the service account and key table file for MongoDB

Adkeytab has been discussed previously here. Remember that when you use it, the service account's password is randomized; this eliminates the risk of several people knowing the credentials of a shared account, however, makes the burden around protecting the keytab file. Make sure you have protocols around this. If you're using separation of duties, the UNIX admin may not have the rights to create a service account in AD, so you have to work in cooperation with the AD team.
Note: Remember that the Centrify Kerberos tools are in the /usr/share/centrifydc/kerberos/bin directory.

Step 1: Understand the adkeytab parameters:

this is a new account (the -n option is required)

credentials are required to create the new account (-u <ad user that can create>) e.g. jerry.seinfeld (the AD admin in my environment)

a key table file will be created (-K /path/to/file)e.g. /etc/mongodb.keytab

An OU for service accounts in AD will be used (-c "dn of ou")e.g. "ou=Service Accounts"

A UPN will be specified (-U service/principal@REALM)e.g. mongodb/cen3.corp.contoso.com@CORP.CONTOSO.COM

A SPN will be specified (-P service/principal)e.g. mongodb/cen3.corp.contoso.com

The UserName (samAccountName) will be different than the cn (-S name)e.g. mongodb.service (note: the limit here is 20 chars)

The final parameter is the cne.g. mongodb

Step 2: Run adkeytab in verbose mode (elevated to be able to copy on /etc)